Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ca7m-fb38-kfe2
Vulnerability ID VCID-ca7m-fb38-kfe2
Aliases CVE-2022-36883
GHSA-v878-67xw-grw2
Summary Lack of authentication mechanism in Jenkins Git Plugin webhook Git Plugin provides a webhook endpoint at `/git/notifyCommit` that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Git Plugin 4.11.3 and earlier, this endpoint can be accessed with GET requests and without authentication. In addition to this basic functionality, the endpoint also accept a `sha1` parameter specifying a commit ID. If this parameter is specified, jobs configured with the specified repo will be triggered immediately, and the build will check out the specified commit. Additionally, the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Git repository URLs to trigger builds of jobs using a specified Git repository and to cause them to check out an attacker-specified commit, and to obtain information about the existence of jobs configured with this Git repository. Git Plugin 4.11.4 requires a `token` parameter which will act as an authentication for the webhook endpoint. While GET requests remain allowed, attackers would need to be able to provide a webhook token. For more information see [the plugin documentation](https://github.com/jenkinsci/git-plugin/#push-notification-from-repository).
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-862 Missing Authorization
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36883.json
epss 0.78584 https://api.first.org/data/v1/epss?cve=CVE-2022-36883
epss 0.78584 https://api.first.org/data/v1/epss?cve=CVE-2022-36883
epss 0.78584 https://api.first.org/data/v1/epss?cve=CVE-2022-36883
epss 0.78584 https://api.first.org/data/v1/epss?cve=CVE-2022-36883
epss 0.78584 https://api.first.org/data/v1/epss?cve=CVE-2022-36883
epss 0.78584 https://api.first.org/data/v1/epss?cve=CVE-2022-36883
epss 0.78584 https://api.first.org/data/v1/epss?cve=CVE-2022-36883
epss 0.78584 https://api.first.org/data/v1/epss?cve=CVE-2022-36883
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-v878-67xw-grw2
cvssv3.1 6.5 https://github.com/jenkinsci/git-plugin
generic_textual MODERATE https://github.com/jenkinsci/git-plugin
cvssv3.1 6.5 https://github.com/jenkinsci/git-plugin/commit/b46165c74a0bf15e08763de2e506005624d5d238
generic_textual MODERATE https://github.com/jenkinsci/git-plugin/commit/b46165c74a0bf15e08763de2e506005624d5d238
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2022-36883
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-36883
cvssv3.1 6.5 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284
generic_textual MODERATE https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284
cvssv3.1 6.5 http://www.openwall.com/lists/oss-security/2022/07/27/1
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2022/07/27/1
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36883.json
https://api.first.org/data/v1/epss?cve=CVE-2022-36883
https://github.com/jenkinsci/git-plugin
https://github.com/jenkinsci/git-plugin/commit/b46165c74a0bf15e08763de2e506005624d5d238
https://nvd.nist.gov/vuln/detail/CVE-2022-36883
https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284
http://www.openwall.com/lists/oss-security/2022/07/27/1
2119656 https://bugzilla.redhat.com/show_bug.cgi?id=2119656
GHSA-v878-67xw-grw2 https://github.com/advisories/GHSA-v878-67xw-grw2
RHSA-2023:0017 https://access.redhat.com/errata/RHSA-2023:0017
RHSA-2023:0560 https://access.redhat.com/errata/RHSA-2023:0560
RHSA-2023:0777 https://access.redhat.com/errata/RHSA-2023:0777
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36883.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/jenkinsci/git-plugin
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/jenkinsci/git-plugin/commit/b46165c74a0bf15e08763de2e506005624d5d238
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-36883
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at http://www.openwall.com/lists/oss-security/2022/07/27/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.99031
EPSS Score 0.78584
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:07:24.049224+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-v878-67xw-grw2/GHSA-v878-67xw-grw2.json 38.0.0